From 7a2524b225f355b4fac9b1fadf92b0682fb090dd Mon Sep 17 00:00:00 2001 From: Perminder Singh Date: Tue, 17 Mar 2026 01:40:05 +0530 Subject: [PATCH 1/5] harden github actions --- .github/workflows/auto-close-issues.yml | 10 +++++-- .github/workflows/ci-lint.yml | 14 ++++++---- .github/workflows/ci-test.yml | 18 ++++++++----- .github/workflows/contributors-png.yml | 11 +++++--- .github/workflows/labeler.yml | 3 ++- .github/workflows/release-workflow-v2.yml | 33 +++++++++++------------ .github/workflows/release-workflow.yml | 32 ++++++++++++---------- 7 files changed, 72 insertions(+), 49 deletions(-) diff --git a/.github/workflows/auto-close-issues.yml b/.github/workflows/auto-close-issues.yml index a2b3310aae..b993340d67 100644 --- a/.github/workflows/auto-close-issues.yml +++ b/.github/workflows/auto-close-issues.yml @@ -4,15 +4,21 @@ on: pull_request: types: [closed] branches: + - 2.0 - dev-2.0 +permissions: + contents: read + issues: write + pull-requests: read + jobs: close_issues: if: github.event.pull_request.merged == true runs-on: ubuntu-latest steps: - name: Close linked issues on non-default branches - uses: processing/branch-pr-close-issue@v1 + uses: processing/branch-pr-close-issue@9fd7b409a12c677c5cdd8ff82c45600f790074e1 # v1 with: token: ${{ secrets.GITHUB_TOKEN }} - branch: dev-2.0 + branch: dev-2.0 \ No newline at end of file diff --git a/.github/workflows/ci-lint.yml b/.github/workflows/ci-lint.yml index ea1eccbee2..37798a7d30 100644 --- a/.github/workflows/ci-lint.yml +++ b/.github/workflows/ci-lint.yml @@ -7,20 +7,24 @@ on: pull_request: branches: - '*' +permissions: + contents: read jobs: lint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v1 - - name: Use Node.js 22.x - uses: actions/setup-node@v1 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: - node-version: 22.x + persist-credentials: false + - name: Use Node.js 20.x + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 + with: + node-version: 20.x - name: Get node modules run: npm ci env: CI: true - name: Lint source code - run: npm run lint + run: npm run lint \ No newline at end of file diff --git a/.github/workflows/ci-test.yml b/.github/workflows/ci-test.yml index e5ceb912c1..484f424510 100644 --- a/.github/workflows/ci-test.yml +++ b/.github/workflows/ci-test.yml @@ -9,6 +9,9 @@ on: branches: - '*' +permissions: + contents: read + jobs: test: strategy: @@ -22,10 +25,12 @@ jobs: runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + persist-credentials: false - name: Use Node.js 22.x - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: 22.x @@ -59,7 +64,7 @@ jobs: CI: true - name: Upload Visual Test Report if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: visual-test-report path: test/unit/visual/visual-report.html @@ -74,9 +79,10 @@ jobs: CI: true - name: report test coverage if: steps.test.outcome == 'success' - run: bash <(curl -s https://codecov.io/bash) -f coverage/coverage-final.json - env: - CI: true + uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2 + with: + files: coverage/coverage-final.json + fail_ci_if_error: false - name: fail job if tests failed if: steps.test.outcome != 'success' run: exit 1 \ No newline at end of file diff --git a/.github/workflows/contributors-png.yml b/.github/workflows/contributors-png.yml index 79933b44a4..321b5ddfa5 100644 --- a/.github/workflows/contributors-png.yml +++ b/.github/workflows/contributors-png.yml @@ -5,15 +5,20 @@ on: paths: - '.all-contributorsrc' +permissions: + contents: read + jobs: build: if: github.ref == 'refs/heads/main' && github.repository == 'processing/p5.js' runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + persist-credentials: false - name: Setup Node - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: 20 @@ -30,7 +35,7 @@ jobs: git checkout -- . - name: Create Pull Request - uses: peter-evans/create-pull-request@v7 + uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7.0.11 with: commit-message: "Update contributors.png from .all-contributorsrc" branch: update-contributors-png diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 74e500b5e6..cc10da56c3 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -3,12 +3,13 @@ on: issues: types: [opened, edited] permissions: + contents: read issues: write jobs: triage: runs-on: ubuntu-latest steps: - - uses: github/issue-labeler@v3.2 + - uses: github/issue-labeler@98b5412841f6c4b0b3d9c29d53c13fad16bd7de2 # v3.2 with: repo-token: "${{ secrets.GITHUB_TOKEN }}" configuration-path: .github/labeler.yml diff --git a/.github/workflows/release-workflow-v2.yml b/.github/workflows/release-workflow-v2.yml index 6574cc0e88..dff9a450b2 100644 --- a/.github/workflows/release-workflow-v2.yml +++ b/.github/workflows/release-workflow-v2.yml @@ -18,13 +18,15 @@ jobs: INPUT_TOKEN: ${{ secrets.NPM_TOKEN }} steps: # 1. Setup - - uses: actions/checkout@v3 - - uses: actions/setup-node@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 with: - node-version: 22 + persist-credentials: false + - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3 + with: + node-version: 20 - name: Get semver info id: semver - uses: akshens/semver-tag@v4 + uses: akshens/semver-tag@8e427cd48c699c97d021df4946f3a0e65af5047e # v4 with: version: ${{ github.ref_name }} @@ -42,22 +44,16 @@ jobs: env: CI: true - name: Run test - run: npm test -- --project=unit-tests + run: npm test env: CI: true - name: Run build run: npm run build - - name: Generate types - run: npm run generate-types - - name: test TypeScript types - run: npm run test:types - env: - CI: true # 2. Prepare release files - run: mkdir release && mkdir p5 && cp -r ./lib/* p5/ - name: Create release zip file - uses: TheDoctor0/zip-release@0.6.2 + uses: TheDoctor0/zip-release@09336613be18a8208dfa66bd57efafd9e2685657 # 0.6.2 with: type: zip filename: release/p5.zip @@ -68,15 +64,15 @@ jobs: # 3. Release p5.js - name: Create GitHub release - uses: softprops/action-gh-release@v0.1.15 + uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15 with: draft: true prerelease: ${{ steps.semver.outputs.is-prerelease == 'true' }} files: release/* generate_release_notes: true - token: ${{ secrets.ACCESS_TOKEN }} + token: ${{ secrets.GITHUB_TOKEN }} - name: Publish to NPM - uses: JS-DevTools/npm-publish@v1 + uses: JS-DevTools/npm-publish@0f451a94170d1699fd50710966d48fb26194d939 with: token: ${{ secrets.NPM_TOKEN }} tag: ${{ steps.semver.outputs.is-prerelease != 'true' && 'latest' || 'beta' }} @@ -84,13 +80,14 @@ jobs: # 4. Update p5.js website - name: Clone p5.js website if: ${{ steps.semver.outputs.is-prerelease != 'true' }} - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 with: repository: processing/p5.js-website ref: '2.0' path: website fetch-depth: 0 token: ${{ secrets.ACCESS_TOKEN }} + persist-credentials: false - name: Updated website files if: ${{ steps.semver.outputs.is-prerelease != 'true' }} run: | @@ -111,9 +108,9 @@ jobs: git commit -m "Update p5.js to ${{ github.ref_name }}" - name: Push updated website repo if: ${{ steps.semver.outputs.is-prerelease != 'true' }} - uses: ad-m/github-push-action@v0.6.0 + uses: ad-m/github-push-action@40bf560936a8022e68a3c00e7d2abefaf01305a6 # v0.6.0 with: github_token: ${{ secrets.ACCESS_TOKEN }} branch: '2.0' directory: website/ - repository: processing/p5.js-website + repository: processing/p5.js-website \ No newline at end of file diff --git a/.github/workflows/release-workflow.yml b/.github/workflows/release-workflow.yml index 714f0890d0..72e5110f40 100644 --- a/.github/workflows/release-workflow.yml +++ b/.github/workflows/release-workflow.yml @@ -18,13 +18,15 @@ jobs: INPUT_TOKEN: ${{ secrets.NPM_TOKEN }} steps: # 1. Setup - - uses: actions/checkout@v3 - - uses: actions/setup-node@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 with: - node-version: 22 + persist-credentials: false + - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3 + with: + node-version: 20 - name: Get semver info id: semver - uses: akshens/semver-tag@v4 + uses: akshens/semver-tag@8e427cd48c699c97d021df4946f3a0e65af5047e # v4 with: version: ${{ github.ref_name }} @@ -41,17 +43,16 @@ jobs: run: npm ci env: CI: true - - name: Run test + - name: Run build run: npm test env: CI: true - - name: Run build - run: npm run build + - run: rm ./lib/p5-test.js ./lib/p5.pre-min.js # 2. Prepare release files - run: mkdir release && mkdir p5 && cp -r ./lib/* p5/ - name: Create release zip file - uses: TheDoctor0/zip-release@0.6.2 + uses: TheDoctor0/zip-release@09336613be18a8208dfa66bd57efafd9e2685657 # 0.6.2 with: type: zip filename: release/p5.zip @@ -62,7 +63,7 @@ jobs: # 3. Release p5.js - name: Create GitHub release - uses: softprops/action-gh-release@v0.1.15 + uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15 with: draft: true prerelease: ${{ steps.semver.outputs.is-prerelease == 'true' }} @@ -71,19 +72,21 @@ jobs: token: ${{ secrets.ACCESS_TOKEN }} - name: Publish to NPM if: ${{ steps.semver.outputs.is-prerelease != 'true' }} - uses: JS-DevTools/npm-publish@v1 + uses: JS-DevTools/npm-publish@0f451a94170d1699fd50710966d48fb26194d939 # v1 with: token: ${{ secrets.NPM_TOKEN }} + tag: r1 # 4. Update p5.js website - name: Clone p5.js website if: ${{ steps.semver.outputs.is-prerelease != 'true' }} - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 with: repository: processing/p5.js-website path: website fetch-depth: 0 token: ${{ secrets.ACCESS_TOKEN }} + persist-credentials: false - name: Updated website files if: ${{ steps.semver.outputs.is-prerelease != 'true' }} run: | @@ -104,7 +107,7 @@ jobs: git commit -m "Update p5.js to ${{ github.ref_name }}" - name: Push updated website repo if: ${{ steps.semver.outputs.is-prerelease != 'true' }} - uses: ad-m/github-push-action@v0.6.0 + uses: ad-m/github-push-action@40bf560936a8022e68a3c00e7d2abefaf01305a6 # v0.6.0 with: github_token: ${{ secrets.ACCESS_TOKEN }} branch: main @@ -114,12 +117,13 @@ jobs: # 5. Update Bower files - name: Checkout Bower repo if: ${{ steps.semver.outputs.is-prerelease != 'true' }} - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 with: repository: processing/p5.js-release path: bower fetch-depth: 0 token: ${{ secrets.ACCESS_TOKEN }} + persist-credentials: false - name: Copy new version files to Bower repo if: ${{ steps.semver.outputs.is-prerelease != 'true' }} run: | @@ -135,7 +139,7 @@ jobs: git commit -m "Update p5.js to ${{ github.ref_name }}" - name: Push updated Bower repo if: ${{ steps.semver.outputs.is-prerelease != 'true' }} - uses: ad-m/github-push-action@v0.6.0 + uses: ad-m/github-push-action@40bf560936a8022e68a3c00e7d2abefaf01305a6 # v0.6.0 with: github_token: ${{ secrets.ACCESS_TOKEN }} branch: master From dcd8ce3cb94464dbaab565f2da55304ccdae4717 Mon Sep 17 00:00:00 2001 From: Perminder Singh <127239756+perminder-17@users.noreply.github.com> Date: Tue, 17 Mar 2026 01:47:19 +0530 Subject: [PATCH 2/5] minor fixes --- .github/workflows/auto-close-issues.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/auto-close-issues.yml b/.github/workflows/auto-close-issues.yml index b993340d67..72ac018794 100644 --- a/.github/workflows/auto-close-issues.yml +++ b/.github/workflows/auto-close-issues.yml @@ -4,7 +4,6 @@ on: pull_request: types: [closed] branches: - - 2.0 - dev-2.0 permissions: @@ -21,4 +20,4 @@ jobs: uses: processing/branch-pr-close-issue@9fd7b409a12c677c5cdd8ff82c45600f790074e1 # v1 with: token: ${{ secrets.GITHUB_TOKEN }} - branch: dev-2.0 \ No newline at end of file + branch: dev-2.0 From 7b4f484aedd342cb8c358ac31b20be2d1a079648 Mon Sep 17 00:00:00 2001 From: Perminder Singh <127239756+perminder-17@users.noreply.github.com> Date: Tue, 17 Mar 2026 03:53:37 +0530 Subject: [PATCH 3/5] reverting unnecessary changes. --- .github/workflows/release-workflow-v2.yml | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release-workflow-v2.yml b/.github/workflows/release-workflow-v2.yml index dff9a450b2..216d6e7b9d 100644 --- a/.github/workflows/release-workflow-v2.yml +++ b/.github/workflows/release-workflow-v2.yml @@ -23,7 +23,7 @@ jobs: persist-credentials: false - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3 with: - node-version: 20 + node-version: 22 - name: Get semver info id: semver uses: akshens/semver-tag@8e427cd48c699c97d021df4946f3a0e65af5047e # v4 @@ -44,11 +44,17 @@ jobs: env: CI: true - name: Run test - run: npm test + run: npm test -- --project=unit-tests env: CI: true - name: Run build run: npm run build + - name: Generate types + run: npm run generate-types + - name: test TypeScript types + run: npm run test:types + env: + CI: true # 2. Prepare release files - run: mkdir release && mkdir p5 && cp -r ./lib/* p5/ @@ -113,4 +119,4 @@ jobs: github_token: ${{ secrets.ACCESS_TOKEN }} branch: '2.0' directory: website/ - repository: processing/p5.js-website \ No newline at end of file + repository: processing/p5.js-website From 8a3eedf899279ea839a241cb9d8329459ebdc900 Mon Sep 17 00:00:00 2001 From: Perminder Singh <127239756+perminder-17@users.noreply.github.com> Date: Tue, 17 Mar 2026 03:54:47 +0530 Subject: [PATCH 4/5] reverting unnecessary changes form release-workflow.yml --- .github/workflows/release-workflow.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/release-workflow.yml b/.github/workflows/release-workflow.yml index 72e5110f40..40a944fa60 100644 --- a/.github/workflows/release-workflow.yml +++ b/.github/workflows/release-workflow.yml @@ -23,7 +23,7 @@ jobs: persist-credentials: false - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3 with: - node-version: 20 + node-version: 22 - name: Get semver info id: semver uses: akshens/semver-tag@8e427cd48c699c97d021df4946f3a0e65af5047e # v4 @@ -43,11 +43,12 @@ jobs: run: npm ci env: CI: true - - name: Run build + - name: Run test run: npm test env: CI: true - - run: rm ./lib/p5-test.js ./lib/p5.pre-min.js + - name: Run build + run: npm run build # 2. Prepare release files - run: mkdir release && mkdir p5 && cp -r ./lib/* p5/ @@ -69,13 +70,12 @@ jobs: prerelease: ${{ steps.semver.outputs.is-prerelease == 'true' }} files: release/* generate_release_notes: true - token: ${{ secrets.ACCESS_TOKEN }} + token: ${{ secrets.GITHUB_TOKEN }} - name: Publish to NPM if: ${{ steps.semver.outputs.is-prerelease != 'true' }} uses: JS-DevTools/npm-publish@0f451a94170d1699fd50710966d48fb26194d939 # v1 with: token: ${{ secrets.NPM_TOKEN }} - tag: r1 # 4. Update p5.js website - name: Clone p5.js website From a4c4bbd00f54d52b484d18e9dab86d1d5d479912 Mon Sep 17 00:00:00 2001 From: Perminder Singh <127239756+perminder-17@users.noreply.github.com> Date: Tue, 17 Mar 2026 03:56:04 +0530 Subject: [PATCH 5/5] reverting unnecessary changes from ci-lint.yml --- .github/workflows/ci-lint.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci-lint.yml b/.github/workflows/ci-lint.yml index 37798a7d30..8f5091ec23 100644 --- a/.github/workflows/ci-lint.yml +++ b/.github/workflows/ci-lint.yml @@ -18,13 +18,13 @@ jobs: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: persist-credentials: false - - name: Use Node.js 20.x + - name: Use Node.js 22.x uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: - node-version: 20.x + node-version: 22.x - name: Get node modules run: npm ci env: CI: true - name: Lint source code - run: npm run lint \ No newline at end of file + run: npm run lint